T
Thomas
This is in reply to a previous post I posted - CnsMin is
indeed untouchable - I want to see what Engel has to say
about this.
---------------------------------------
Thank you Andy and Engel.
This CnsMin is not only untouchable - it is the Lord
Supreme of spyware. I have been fighting it for months
and has not been sucessful. It is so clever that it can
even change with our attack. Let me give you a run down
on what I have tried - this will take a well.
I have tried all the manual steps listed in Doxdesk.com
and other antispyware website previously and it did not
work. Infact I tried to be ingenuous and tried even more
than what doxdesk has asked for as in removing other
things by dos command prompt too - and to date - I have
failed.
First antispyware I have is spybot - that failed
everytime - did not even come close.
Next - Yahoo Antispy - that delete some but always come
back.
Next Computer associates Pest Patrol - that did delete
and advised restart initially but subsequent scans - it
may just become disbabled and become non-responsive. I
have tried to run the Pest patrol both in normal mode and
in safe mode too (adminstrator) --- one important point
to note - ever since I have CnsMin on board - I have been
denied access to my administrator mode under the normal
boot up and can only access my adminstrator mode under
the safe mode boot up.
Next I have been trying to solve this problem with tech
support at CA pest patrol -- we have tried multiple
approach and to date CA pest patrol has temporarily
conceded defeat -- telling me that the case is currently
under research and will stay open as of date. The
following are the things we have tried:
1) Thank you for contacting my-eTrust Technical Support
Please delete the following files and registry entries
from the machine to get rid of that pest.
Boot the machine into SAFEMODE and delete the folder
RECYCLER from File "C:\".
Delete the folder 'Yahoo' from "C:\Program Files" and the
folder 3721.
The folder "downloaded program files" from C:\Windows and
File "C:\WINDOWS\system32\drivers\cnsminkp.sys"
The folder 'downlo~1' from File "C:\WINDOWS\"
Go to Start->Run->Regedit and delete the entries, delete
folder !cns from key "hkey_local_machine
\software\microsoft\internet explorer\advancedoptions\"
key "hkey_local_machine \software\3721 folder should be
deleted.
Folder extensions from key "hkey_local_machine
\software\microsoft\internet explorer
Incase of any further assistance in this regard, please
revert back to this email
Thank you and have a great day<
---> Tried the above -- My reply:
Hi, I tried to go along with your instructions but could
not complete the very first step - unable to delete the
file RECYCLER from C:\ --- the error message is "Access
denied. Please ensure that file is not in use or write
protected etc." Is there anything I need to do before I
can delete that file? I.e. any processes I need to kill
before I can delete that file? I think I saw the file
cnsminkp.sys loading even with my safemode startup.
Please further advise.
2) Their reply:
Thank you for contacting my-eTrust Technical Support
In order to delete that file, you may have to set
permissions.
Just right click on that particular registry entry and
set permissions as full access to the user.
Then delete the file.
Incase of any further assistance in this regard, please
revert back to this email
My reply:
Hi, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too.
Also, there is still a problem with this 2 files that
will also reappear every single time I try to remove them
manually - see this message that I sent previously: Hi
Sam, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too. How do I remove the 2
files above?
3)Their reply:
Hi ,
Thank you for contacting my-eTrust Technical Support
Please try to remove the files in the SAFEMODE for
permanent deletion.
Incase of any further assistance in this regard, please
revert back to this email
My reply:
I did try to remove them in Safe mode. I tried all the
permission step you previously suggested too. I even
tried to used the MSDOS command prompt to try to delete
it. I tried even to rename it first then delete. Also
tried rename first, then reboot then delete - all in
MSDOS command mode - doesn't work. Tried all the ways I
can think of so far - to remove them in SAFE mode using
both the windows delete function as well as the MSDOS
delete function - doesn't work. This is the most
resistant pest I have met thus far.
4) Their reply:
Hi,
Thank you for contacting eTrust PestPatrol HelpDesk.
There are a couple of things I would like you to do in an
attempt to resolve this issue.
Please note: It is very important that you follow this
email in order. The first thing we need to ensure is that
you have the most recent updates. This can be done by
selecting the Updates menu under the Advanced Settings
section of your software.
Next, please look in your Add/Remove Programs Control
Panel for any toolbars, search bars, search assistants
and any other odd programs that may be present there and
uninstall them.
When you are done in the Control Panel, please run a
thorough scan. To do that, you will need to select custom
scan from the scan menu. Here you will see your different
drive letters, please select the ones you would like to
scan. I would encourage you to select all of the drive
letters associated with the hard drive(s) on your PC.
When the scan is complete please select the items you
would like to keep and click the Exclude Checked Pests
button.
Next, check the remaining pests and click on Quarantine.
Reboot your PC and run another scan to see if you are
still experiencing the same issues. If you are, please
try the following: 1. shut down your computer 2. turn it
back on and tap the F8 key repeatedly until you get a
boot menu 3. select Safe Mode with Networking ***if you
have Safe Mode as the only option please select it***
Once you are in Safe Mode please delete any items located
within the temp directory. It is possible for some pest
(s) to hide within this directory and to reinstall
components that have been removed by Pest Patrol. To
clear the temp directory: 1. click on start, then run and
enter %temp% 2. click ok and a new window will open - you
will be in a temp folder 3. please hold down "Ctrl" on
the keyboard and press the "A" key - this will select ALL
items in the folder 4. press the "Delete" key on the
keyboard Reboot your PC into Normal Mode and rescan again
with PestPatrol. See if the problem still pertains. If it
does, this means that there is one or more files residing
on your system called a "trickler". These files load on
bootup and cause the pest(s) to reappear.
To track down which file(s) may be responsible: 1. click
on start, then run and enter msconfig 2. click on ok and
you will be taken into the system configuration utility
3. click on the startup tab at the top right-hand corner
4. please make a list of what is checked in these boxes
5. uncheck all components and click on ok !!!PLEASE MAKE
SURE THAT THE ONLY TAB YOU ALTER IN MSCONFIG IS THE
STARTUP TAB!!! 6. you will be asked to reboot the
computer, please click yes or ok 7. after the reboot you
will see a pop-up telling you that you have made changes
in configuration utility, place a check in the box and
click ok Check to see if any pests have returned. If not,
then you know it was one of the startup programs that was
causing the issue. At this point you can go back into
msconfig startup tab and recheck one item at a time.
Please note: you will need to reboot after each item is
checked and run a scan to see if the pest(s) returned.
Completing the steps above should resolve your issue. If
for some reason it does not, please send me a copy of the
logs by following the steps below:
1. Launch PestPatrol and click on "Advanced Settings"
2. Click on Log
3. Click on Save Log
4. Save it to the location you can easily find it from 5.
From your e-mail program you can then attach the log by
using the "Attach" function and browsing to the saved log.
You can also include the Quarantine Log:
1. Click on Advanced Settings
2. Click on Quarantined Pests
3. Click on Save Report
4. Save it to the location you can easily find it from
5. From your e-mail program you can then attach the log
by using the "Attach" function and browsing to the saved
log.
Thank you and have a great day
CA Consumer Support
My reply:
I am now convinced that this is one of the most powerful
and clever pest ever. I have tried all the steps you
described. First of all, when I tried to remove all the
suspicious stuffs from my Add/Remove programs - there are
2 programs that are not removable: 1) A program
named "Yahoo Address Autocomplete" and 2) Yahoo Messenger
explorer bar. I think that these are 2 programs
masquerading as Yahoo programs - I have uninstalled my
Yahoo components without problems but cannot uninstall
those 2 programs even in safe mode. Then, I am not able
to load my safemode with networking - the computer will
show an error blue screen everytime I try to do that.
Also, everytime I tried to use you program to quarantine
the Cnsmin pests - your program will become unresponsive.
This goes the same from the freeware program spybot.
Next, I tried to use the msconfig to stop all my startup
programs as you have suggested. I rebooted and guess
what? Lo and Behold, there are 2 programs that I cannot
even use my msconfig to disable (see how smart these
people are). These 2 programs are as follows: 1) Name:
Cnsmin; Command: Rund1132.exe C:\WINDOWS\DOWNLO~1
\Cnsmin.dll,Rundll32; location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; the
other program that continues to appear is Name: Ctfmon,
Command: C:\WINDOWS\system32\ctfmon.exe, location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Even
in safemode after trying to disable all the startup
programs, I cannot remove the program that is not
removable with the add/remove command and I cannot use
your program to quarantine Cnsmin - your program just
become unresponsive. And I cannot boot into safemode with
networking. I can however boot into safemode. Even after
trying to disable all the startup programs and also
booting into safemode, I noticed that the program file
Cnsminkp.sys continues to load with boot up. I will
attach the log for you. As your program continues
to "Hang" (ie. becomes unresponsive) everytime I try to
quarantine Cnsmin, I have no quarantine files to attach.
Please advise with this extremely clever and ingenius
pest. (Just a few days ago, my privacy firewall detected
it trying to send my bank account number over the net to
someplace with 3721 in it net address - it may function
more than a hijacker). Thanks for your help.
5) Their reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Please follow the steps and provide us the required
information to get this issue resolved.
1. Please go to C:\Documents and Settings\All
Users\Application Data\CA\eTrustPestPatrol and delete
PPv5log.txt.
2. Open eTrust PestPatrol and run a complete custom scan
on the machine, quarantine the pests found.
3. Run a custom scan again and quarantine the pests if
they are redetected.
Then, reboot the system in safe mode session and have the
scan again with a custom scan with ePP and then
quarantine all the pests found. Send the PPv5Log.txt
For assistance in going to Safe Mode, please go through
the following URL LINK
Click Start > Run > "MSInfo32.exe" - then "Save" as
an .NFO file and email this to us for further analysis.
Please zip it before attaching or attach all these files
in a single zip file
Next one is download this file and create a report
Digital detective
Download this and run it and send us a report which is
generated
It displays all the files which are there in the PC so us
to check.
My reply:
Thanks for looking deeper into the case. I have followed
your instruction and will be attaching the files you
requested. The first scan with EPP, I quarantined the
files, it says I should restart but I did not and scanned
again as you have instructed and quarantined again. The
first scan yield about 200 plus files, the second scan
yield about 66 files that is only related to Cnsmin. I
then restarted and rebooted into safe mode. This time the
scan turns up only 61 files related to Cnsmin but while
trying to quarantine the pests, your program became
unresponsive (as per previous time - probably diabled by
this strong pest). I will attach files you requested. If
you need me to also attach the files that cannot be
deleted whatever method I try - i.e. the Cnsmin.dll and
Cnshook.dll in the C:\Windows\Downloaded program files
folder - please let me know and I will attach them for
you. Recently, I had found that there are files in the
folder C:\program files\3721 that cannot be deleted too.
Thanks for you help - Hope you find fighting this super
pest an enjoyable challenge
6) Subsequently - they sent me a .bat file to run on my
computer to help fight this. I tried it and the following
is my reply:
Hi, Thanks for working on this problem. I have done the
steps mentioned in your email. The steps I did was: 1.
Extracted the correctreg.bat file you sent me. 2. Logged
into safemode. 3. Ran the correctreg.bat file and then
tried to delete cnsmin.dll and cnshook.dll 4. At the same
time, I deleted many other files in the same downloaded
Program files folder, deleted the folder Recycler under
C:\, tried to delete the folder C:\Program files\3721 The
following are the programs encountered: 1. I managed to
delete the folder C:\Recycler, it allowed me to delete
the cnsmin.dll and cnshook.dll but once you go out of the
folder C:\windows\downloaded Program files -- those 2
files will reappear. Also, this time, there are also 2
files in that same folder that cannot be deleted -- the
Cnsio.dll and CnsminIO.dll files - both cannot be deleted
and would not allow me to even change permissions or take
hold of them. 2. The file CNSMIN.dat in C:\program
files\3721 is now resistant to deletion too 3. I think
they have taken control of my recycle bin too. Now,
whatever file I delete will no longer go into the recycle
bin but will just disappear. 4. After I reboot back to
normal mode and rescanned, there are still 165 files
reviewed. I tried to quarantine, although EPP became
unresponsive while doing that, I still manage to get a
quarantine report to sent off to you. I will be attaching
ZIP file containing the PPv5log.txt from the folder that
you told me about during your last email (I did the
delete thing then rescan again), as well as the
quarantine pest report and also the digital detective
report that I generated again this time. Thanks and
please keep me updated.
Their most current reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Thank you for the information provided to us regarding
the issue. The issue is still under research and we shall
get back to you once we get the update from our research
team. Until then, the issue will be under open status
The following are what I have done with your Microsoft
antispyprogram:
1) I have scanned and tried removal both in normal boot
up and safe mode bootup -- and both removal process have
failed.
2) After a few removal attempts and scans - now it seems
like the CnsMin has evolved and now the MS antispy is
detecting something as "Possible browser hijacker" -- I
removed that too - but it seems like it can come back too.
3) I used your advanced settings and tried to remove the
things that I think is related to CnsMin - i.e. the 3721
helper - it failed. Next I tried to block it - it seems
like it is failing now. I initially tried to block it
from changing URLs etc - and MS antispy did work for a
few days --- then for the past 2 days - for now good
reasons - I would get messages from MS antispy that it
has allowed an URL change - without asking me for
permission and without my permission.
Hence, I have now convinced that CnsMin is the ultimate
lord supreme of spyware and whatever antispyware can
fight it and remove it - may justly be considered the
best antispyware in this current market.
I was actually on my way out to get spysweeper so that I
can try it on my computer too - until I saw Engel and
Andy's helpful replies - do you guys have anymore good
ideas?
The report spyware function on the MSantispy does not
work with this master of spyware --- as mentioned in my
initialy post - I get an error message.
Thanks and await your reply guys.
One more thing - there are 2 programs that show up under
my add/remove program category - the Yahoo! Messenger
explorer bar and the Yahoo! Address autocomplete --- I
think these 2 are CnsMin masquerading as Yahoo - I have
been able to remove all other components of my Yahoo
toolbars or messenger except these 2 and at one stage - I
have found something that is masquerade as Yahoo
components - the YPager with a symbol we all so often
associate with Yahoo. Nowadays- even when I click to
check my Yahoo mails - there are attempts to send some
private information of mine over the web - which was
blocked with my Norton internet security.
Alright guys -if you enjoy a challenge - try this SUPREME
LORD OF SPYWARE. Let me knwo if you find anything helpful.
indeed untouchable - I want to see what Engel has to say
about this.
---------------------------------------
Thank you Andy and Engel.
This CnsMin is not only untouchable - it is the Lord
Supreme of spyware. I have been fighting it for months
and has not been sucessful. It is so clever that it can
even change with our attack. Let me give you a run down
on what I have tried - this will take a well.
I have tried all the manual steps listed in Doxdesk.com
and other antispyware website previously and it did not
work. Infact I tried to be ingenuous and tried even more
than what doxdesk has asked for as in removing other
things by dos command prompt too - and to date - I have
failed.
First antispyware I have is spybot - that failed
everytime - did not even come close.
Next - Yahoo Antispy - that delete some but always come
back.
Next Computer associates Pest Patrol - that did delete
and advised restart initially but subsequent scans - it
may just become disbabled and become non-responsive. I
have tried to run the Pest patrol both in normal mode and
in safe mode too (adminstrator) --- one important point
to note - ever since I have CnsMin on board - I have been
denied access to my administrator mode under the normal
boot up and can only access my adminstrator mode under
the safe mode boot up.
Next I have been trying to solve this problem with tech
support at CA pest patrol -- we have tried multiple
approach and to date CA pest patrol has temporarily
conceded defeat -- telling me that the case is currently
under research and will stay open as of date. The
following are the things we have tried:
1) Thank you for contacting my-eTrust Technical Support
Please delete the following files and registry entries
from the machine to get rid of that pest.
Boot the machine into SAFEMODE and delete the folder
RECYCLER from File "C:\".
Delete the folder 'Yahoo' from "C:\Program Files" and the
folder 3721.
The folder "downloaded program files" from C:\Windows and
File "C:\WINDOWS\system32\drivers\cnsminkp.sys"
The folder 'downlo~1' from File "C:\WINDOWS\"
Go to Start->Run->Regedit and delete the entries, delete
folder !cns from key "hkey_local_machine
\software\microsoft\internet explorer\advancedoptions\"
key "hkey_local_machine \software\3721 folder should be
deleted.
Folder extensions from key "hkey_local_machine
\software\microsoft\internet explorer
Incase of any further assistance in this regard, please
revert back to this email
Thank you and have a great day<
---> Tried the above -- My reply:
Hi, I tried to go along with your instructions but could
not complete the very first step - unable to delete the
file RECYCLER from C:\ --- the error message is "Access
denied. Please ensure that file is not in use or write
protected etc." Is there anything I need to do before I
can delete that file? I.e. any processes I need to kill
before I can delete that file? I think I saw the file
cnsminkp.sys loading even with my safemode startup.
Please further advise.
2) Their reply:
Thank you for contacting my-eTrust Technical Support
In order to delete that file, you may have to set
permissions.
Just right click on that particular registry entry and
set permissions as full access to the user.
Then delete the file.
Incase of any further assistance in this regard, please
revert back to this email
My reply:
Hi, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too.
Also, there is still a problem with this 2 files that
will also reappear every single time I try to remove them
manually - see this message that I sent previously: Hi
Sam, after trying your advice, I finally did manage to
delete the RECYCLER folder after going through the
permission lists of all subfolders and deleting them
individually. However, I am not able to delete the
Downloaded program file list - I did manage to disable my
Yahoo Messenger though. Two files in the Downloaded
program files folder is especially resistant to deletion -
the CnsHook.dll and the CnsMin.dll files. This are the
only 2 files left and they will reappear a few seconds
after I delete them. And without deleting this 2 files,
windows would not allow me to delete the folder
downloaded program files completely. Also, everytime I
attempt to delete these 2 files, I will notice the the
RECYCLER folder may reappear too. How do I remove the 2
files above?
3)Their reply:
Hi ,
Thank you for contacting my-eTrust Technical Support
Please try to remove the files in the SAFEMODE for
permanent deletion.
Incase of any further assistance in this regard, please
revert back to this email
My reply:
I did try to remove them in Safe mode. I tried all the
permission step you previously suggested too. I even
tried to used the MSDOS command prompt to try to delete
it. I tried even to rename it first then delete. Also
tried rename first, then reboot then delete - all in
MSDOS command mode - doesn't work. Tried all the ways I
can think of so far - to remove them in SAFE mode using
both the windows delete function as well as the MSDOS
delete function - doesn't work. This is the most
resistant pest I have met thus far.
4) Their reply:
Hi,
Thank you for contacting eTrust PestPatrol HelpDesk.
There are a couple of things I would like you to do in an
attempt to resolve this issue.
Please note: It is very important that you follow this
email in order. The first thing we need to ensure is that
you have the most recent updates. This can be done by
selecting the Updates menu under the Advanced Settings
section of your software.
Next, please look in your Add/Remove Programs Control
Panel for any toolbars, search bars, search assistants
and any other odd programs that may be present there and
uninstall them.
When you are done in the Control Panel, please run a
thorough scan. To do that, you will need to select custom
scan from the scan menu. Here you will see your different
drive letters, please select the ones you would like to
scan. I would encourage you to select all of the drive
letters associated with the hard drive(s) on your PC.
When the scan is complete please select the items you
would like to keep and click the Exclude Checked Pests
button.
Next, check the remaining pests and click on Quarantine.
Reboot your PC and run another scan to see if you are
still experiencing the same issues. If you are, please
try the following: 1. shut down your computer 2. turn it
back on and tap the F8 key repeatedly until you get a
boot menu 3. select Safe Mode with Networking ***if you
have Safe Mode as the only option please select it***
Once you are in Safe Mode please delete any items located
within the temp directory. It is possible for some pest
(s) to hide within this directory and to reinstall
components that have been removed by Pest Patrol. To
clear the temp directory: 1. click on start, then run and
enter %temp% 2. click ok and a new window will open - you
will be in a temp folder 3. please hold down "Ctrl" on
the keyboard and press the "A" key - this will select ALL
items in the folder 4. press the "Delete" key on the
keyboard Reboot your PC into Normal Mode and rescan again
with PestPatrol. See if the problem still pertains. If it
does, this means that there is one or more files residing
on your system called a "trickler". These files load on
bootup and cause the pest(s) to reappear.
To track down which file(s) may be responsible: 1. click
on start, then run and enter msconfig 2. click on ok and
you will be taken into the system configuration utility
3. click on the startup tab at the top right-hand corner
4. please make a list of what is checked in these boxes
5. uncheck all components and click on ok !!!PLEASE MAKE
SURE THAT THE ONLY TAB YOU ALTER IN MSCONFIG IS THE
STARTUP TAB!!! 6. you will be asked to reboot the
computer, please click yes or ok 7. after the reboot you
will see a pop-up telling you that you have made changes
in configuration utility, place a check in the box and
click ok Check to see if any pests have returned. If not,
then you know it was one of the startup programs that was
causing the issue. At this point you can go back into
msconfig startup tab and recheck one item at a time.
Please note: you will need to reboot after each item is
checked and run a scan to see if the pest(s) returned.
Completing the steps above should resolve your issue. If
for some reason it does not, please send me a copy of the
logs by following the steps below:
1. Launch PestPatrol and click on "Advanced Settings"
2. Click on Log
3. Click on Save Log
4. Save it to the location you can easily find it from 5.
From your e-mail program you can then attach the log by
using the "Attach" function and browsing to the saved log.
You can also include the Quarantine Log:
1. Click on Advanced Settings
2. Click on Quarantined Pests
3. Click on Save Report
4. Save it to the location you can easily find it from
5. From your e-mail program you can then attach the log
by using the "Attach" function and browsing to the saved
log.
Thank you and have a great day
CA Consumer Support
My reply:
I am now convinced that this is one of the most powerful
and clever pest ever. I have tried all the steps you
described. First of all, when I tried to remove all the
suspicious stuffs from my Add/Remove programs - there are
2 programs that are not removable: 1) A program
named "Yahoo Address Autocomplete" and 2) Yahoo Messenger
explorer bar. I think that these are 2 programs
masquerading as Yahoo programs - I have uninstalled my
Yahoo components without problems but cannot uninstall
those 2 programs even in safe mode. Then, I am not able
to load my safemode with networking - the computer will
show an error blue screen everytime I try to do that.
Also, everytime I tried to use you program to quarantine
the Cnsmin pests - your program will become unresponsive.
This goes the same from the freeware program spybot.
Next, I tried to use the msconfig to stop all my startup
programs as you have suggested. I rebooted and guess
what? Lo and Behold, there are 2 programs that I cannot
even use my msconfig to disable (see how smart these
people are). These 2 programs are as follows: 1) Name:
Cnsmin; Command: Rund1132.exe C:\WINDOWS\DOWNLO~1
\Cnsmin.dll,Rundll32; location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run; the
other program that continues to appear is Name: Ctfmon,
Command: C:\WINDOWS\system32\ctfmon.exe, location:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Even
in safemode after trying to disable all the startup
programs, I cannot remove the program that is not
removable with the add/remove command and I cannot use
your program to quarantine Cnsmin - your program just
become unresponsive. And I cannot boot into safemode with
networking. I can however boot into safemode. Even after
trying to disable all the startup programs and also
booting into safemode, I noticed that the program file
Cnsminkp.sys continues to load with boot up. I will
attach the log for you. As your program continues
to "Hang" (ie. becomes unresponsive) everytime I try to
quarantine Cnsmin, I have no quarantine files to attach.
Please advise with this extremely clever and ingenius
pest. (Just a few days ago, my privacy firewall detected
it trying to send my bank account number over the net to
someplace with 3721 in it net address - it may function
more than a hijacker). Thanks for your help.
5) Their reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Please follow the steps and provide us the required
information to get this issue resolved.
1. Please go to C:\Documents and Settings\All
Users\Application Data\CA\eTrustPestPatrol and delete
PPv5log.txt.
2. Open eTrust PestPatrol and run a complete custom scan
on the machine, quarantine the pests found.
3. Run a custom scan again and quarantine the pests if
they are redetected.
Then, reboot the system in safe mode session and have the
scan again with a custom scan with ePP and then
quarantine all the pests found. Send the PPv5Log.txt
For assistance in going to Safe Mode, please go through
the following URL LINK
Click Start > Run > "MSInfo32.exe" - then "Save" as
an .NFO file and email this to us for further analysis.
Please zip it before attaching or attach all these files
in a single zip file
Next one is download this file and create a report
Digital detective
Download this and run it and send us a report which is
generated
It displays all the files which are there in the PC so us
to check.
My reply:
Thanks for looking deeper into the case. I have followed
your instruction and will be attaching the files you
requested. The first scan with EPP, I quarantined the
files, it says I should restart but I did not and scanned
again as you have instructed and quarantined again. The
first scan yield about 200 plus files, the second scan
yield about 66 files that is only related to Cnsmin. I
then restarted and rebooted into safe mode. This time the
scan turns up only 61 files related to Cnsmin but while
trying to quarantine the pests, your program became
unresponsive (as per previous time - probably diabled by
this strong pest). I will attach files you requested. If
you need me to also attach the files that cannot be
deleted whatever method I try - i.e. the Cnsmin.dll and
Cnshook.dll in the C:\Windows\Downloaded program files
folder - please let me know and I will attach them for
you. Recently, I had found that there are files in the
folder C:\program files\3721 that cannot be deleted too.
Thanks for you help - Hope you find fighting this super
pest an enjoyable challenge
6) Subsequently - they sent me a .bat file to run on my
computer to help fight this. I tried it and the following
is my reply:
Hi, Thanks for working on this problem. I have done the
steps mentioned in your email. The steps I did was: 1.
Extracted the correctreg.bat file you sent me. 2. Logged
into safemode. 3. Ran the correctreg.bat file and then
tried to delete cnsmin.dll and cnshook.dll 4. At the same
time, I deleted many other files in the same downloaded
Program files folder, deleted the folder Recycler under
C:\, tried to delete the folder C:\Program files\3721 The
following are the programs encountered: 1. I managed to
delete the folder C:\Recycler, it allowed me to delete
the cnsmin.dll and cnshook.dll but once you go out of the
folder C:\windows\downloaded Program files -- those 2
files will reappear. Also, this time, there are also 2
files in that same folder that cannot be deleted -- the
Cnsio.dll and CnsminIO.dll files - both cannot be deleted
and would not allow me to even change permissions or take
hold of them. 2. The file CNSMIN.dat in C:\program
files\3721 is now resistant to deletion too 3. I think
they have taken control of my recycle bin too. Now,
whatever file I delete will no longer go into the recycle
bin but will just disappear. 4. After I reboot back to
normal mode and rescanned, there are still 165 files
reviewed. I tried to quarantine, although EPP became
unresponsive while doing that, I still manage to get a
quarantine report to sent off to you. I will be attaching
ZIP file containing the PPv5log.txt from the folder that
you told me about during your last email (I did the
delete thing then rescan again), as well as the
quarantine pest report and also the digital detective
report that I generated again this time. Thanks and
please keep me updated.
Their most current reply:
Hi,
Thank you for contacting my-eTrust Technical Support
Thank you for the information provided to us regarding
the issue. The issue is still under research and we shall
get back to you once we get the update from our research
team. Until then, the issue will be under open status
The following are what I have done with your Microsoft
antispyprogram:
1) I have scanned and tried removal both in normal boot
up and safe mode bootup -- and both removal process have
failed.
2) After a few removal attempts and scans - now it seems
like the CnsMin has evolved and now the MS antispy is
detecting something as "Possible browser hijacker" -- I
removed that too - but it seems like it can come back too.
3) I used your advanced settings and tried to remove the
things that I think is related to CnsMin - i.e. the 3721
helper - it failed. Next I tried to block it - it seems
like it is failing now. I initially tried to block it
from changing URLs etc - and MS antispy did work for a
few days --- then for the past 2 days - for now good
reasons - I would get messages from MS antispy that it
has allowed an URL change - without asking me for
permission and without my permission.
Hence, I have now convinced that CnsMin is the ultimate
lord supreme of spyware and whatever antispyware can
fight it and remove it - may justly be considered the
best antispyware in this current market.
I was actually on my way out to get spysweeper so that I
can try it on my computer too - until I saw Engel and
Andy's helpful replies - do you guys have anymore good
ideas?
The report spyware function on the MSantispy does not
work with this master of spyware --- as mentioned in my
initialy post - I get an error message.
Thanks and await your reply guys.
One more thing - there are 2 programs that show up under
my add/remove program category - the Yahoo! Messenger
explorer bar and the Yahoo! Address autocomplete --- I
think these 2 are CnsMin masquerading as Yahoo - I have
been able to remove all other components of my Yahoo
toolbars or messenger except these 2 and at one stage - I
have found something that is masquerade as Yahoo
components - the YPager with a symbol we all so often
associate with Yahoo. Nowadays- even when I click to
check my Yahoo mails - there are attempts to send some
private information of mine over the web - which was
blocked with my Norton internet security.
Alright guys -if you enjoy a challenge - try this SUPREME
LORD OF SPYWARE. Let me knwo if you find anything helpful.